Mirrors under attack?

[Thorsten Neckel <ap...@neckel.com>]

Hello!
Are (some of) the Apache mirrors under some kind of attack? Currently I have 
about 1 req. per 30 seconds for httpd-2.0.54.tar.gz. Most of the requests 
came from 218.103., 218,215.,219.78 and 203,168. Always the same file.

regards
thorsten

Re: Mirrors under attack?

[José Manuel Macías <jm...@rediris.es>]

El Thursday 15 September 2005 21:38, John Reuning escribió:
> I'm curious what you've used to control usage like this.  Mod_choke for
> apache seems to work well, but are there other good tools?

    Hi!

    I'm using limitipconn:

         http://dominia.org/djao/limitipconn.html

   but I'm sure you will find more in the apache module registry:

        http://modules.apache.org

   atb,

   josé manuel.
-- 
RedIRIS, The Spanish NREN
Edificio Bronce. Plaza Manuel Gómez Moreno, s/n
28020 Madrid (Spain)
jid: macias@im.rediris.es / Tlf: (+34) 91 212 76 25

Re: Mirrors under attack?

[michele <ho...@publicshout.org>]

I used a "proxy" written by myself, sort of bernstein' tcpserver, but 
proxying
instead of "incapsulating" the serving process.
The process listen on port 80, records the client IP in a list, and 
delays
every connection to DELAY * previous_connections_number seconds.
With an ALRM signal every X seconds it instead decrements the counter
of connections, pruning those at 0. Simple and very rough, but happened
to be effective.

I wrote it a couple of years ago and used it for about 1 year. I took 
it down
when I got more bandwidth; I didn't need it anymore, it was written down
very quickly and I simply didn't trust it.

I didn't find any apache module capable of such stateful behavior at the
time. And mind that mod_bandwidth and similar ones just do not resolve
the problem anyhow: you slow down good users, do not make
any bad to bad ones, and increase the load on your server for shaping
and for keeping more concurrent connection open longer.

I guess there are several load balancer softwares you can get a similar
behavior with anyway, even fairly reliable and maintained.

bye


On 15/set/05, at 22:45, Valentino D'Ostilio wrote:

> John Reuning wrote:
>
>> I'm curious what you've used to control usage like this.  Mod_choke 
>> for
>> apache seems to work well, but are there other good tools?
>>
>> Thanks,
>>
>> -jrr
>>
>>
> I've had great success with mod_bandwidth (located at 
> http://www.ivn.cl/apache/).  I think the specific module you use is a 
> matter of personal preference more than anything.. at first glance 
> they all appear to support the same functionality.  An example 
> configuration syntax for mod_bandwidth looks like:
>    BandWidthModule On
>    BandWidth all 512000
>    MinBandWidth all -1
> Pretty simple imo.
>
> Good luck.
>
>
> -Valentino
>

Re: Mirrors under attack?

[Valentino D'Ostilio <va...@gdi-tech.com>]

John Reuning wrote:

>I'm curious what you've used to control usage like this.  Mod_choke for
>apache seems to work well, but are there other good tools?
>
>Thanks,
>
>-jrr
>
>  
>
I've had great success with mod_bandwidth (located at 
http://www.ivn.cl/apache/).  I think the specific module you use is a 
matter of personal preference more than anything.. at first glance they 
all appear to support the same functionality.  An example configuration 
syntax for mod_bandwidth looks like:
    BandWidthModule On
    BandWidth all 512000
    MinBandWidth all -1
Pretty simple imo.

Good luck.


-Valentino

Re: Mirrors under attack?

[John Reuning <jo...@ibiblio.org>]

I'm curious what you've used to control usage like this.  Mod_choke for
apache seems to work well, but are there other good tools?

Thanks,

-jrr

On Thu, 2005-09-15 at 15:24, michele wrote:
> I experienced that behavior several times. The solution I chose is
> to throttle connections from the same ip.
> 
> Mind that he could just be some guy trying to fetch the whole repos
> before asking to be subscribed. This isn't the right way to do it, but I
> guess they simply find master sources slower.

Re: Mirrors under attack?

[Shane Goulden <sh...@matrixau.net>]

Yeah. I get people trying to fetch the entire repos. I just block them.

Pushes to about 80 Mbps from that IP alone.

- Shane.

----- Original Message ----- 
From: "michele" <ho...@publicshout.org>
To: <mi...@apache.org>
Sent: Friday, September 16, 2005 5:24 AM
Subject: Re: Mirrors under attack?


>I experienced that behavior several times. The solution I chose is
> to throttle connections from the same ip.
> 
> Mind that he could just be some guy trying to fetch the whole repos
> before asking to be subscribed. This isn't the right way to do it, but I
> guess they simply find master sources slower.
> 
> bye
> 
> 
> On 15/set/05, at 20:33, Thorsten Neckel wrote:
> 
>> Hi!
>>> I usually block the
>>> offending class C via iptables/pf and go from there.  (Flushing blocks
>>> every 6 months).
>> Currently I use Order Deny,Allow via .htaccess to block such subnets.
>>
>>> I have the same problem here, but looks like is a spybot, just like 
>>> the google
>>> or altavista uses to search pages.
>> Not in my case. They download the whole file.
>>
>>> looks like it does not consume a lot of resources,
>> No, about 1 GByte every 30 minutes. At time writing the only solution 
>> is to block these guys.
>>
>> regards
>> thorsten
>>
> 
> 
> 
>

Re: Mirrors under attack?

[michele <ho...@publicshout.org>]

I experienced that behavior several times. The solution I chose is
to throttle connections from the same ip.

Mind that he could just be some guy trying to fetch the whole repos
before asking to be subscribed. This isn't the right way to do it, but I
guess they simply find master sources slower.

bye


On 15/set/05, at 20:33, Thorsten Neckel wrote:

> Hi!
>> I usually block the
>> offending class C via iptables/pf and go from there.  (Flushing blocks
>> every 6 months).
> Currently I use Order Deny,Allow via .htaccess to block such subnets.
>
>> I have the same problem here, but looks like is a spybot, just like 
>> the google
>> or altavista uses to search pages.
> Not in my case. They download the whole file.
>
>> looks like it does not consume a lot of resources,
> No, about 1 GByte every 30 minutes. At time writing the only solution 
> is to block these guys.
>
> regards
> thorsten
>

Re: Mirrors under attack?

[Thorsten Neckel <ap...@neckel.com>]

Hi!
> I usually block the
> offending class C via iptables/pf and go from there.  (Flushing blocks
> every 6 months).
Currently I use Order Deny,Allow via .htaccess to block such subnets.

> I have the same problem here, but looks like is a spybot, just like the 
> google
> or altavista uses to search pages.
Not in my case. They download the whole file.

>looks like it does not consume a lot of resources,
No, about 1 GByte every 30 minutes. At time writing the only solution is to 
block these guys.

regards
thorsten 

Re: Mirrors under attack?

[Gabriel Espinosa de los Monteros <ge...@inca.gob.mx>]

El Jue 15 Sep 2005 11:54, Valentino D'Ostilio escribió:
> Thorsten Neckel wrote:
> > Hello!
> > Are (some of) the Apache mirrors under some kind of attack? Currently
> > I have about 1 req. per 30 seconds for httpd-2.0.54.tar.gz. Most of
> > the requests came from 218.103., 218,215.,219.78 and 203,168. Always
> > the same file.
> >
> > regards
> > thorsten
>
> Get used to it.  I've experienced this type of activity from various
> sources since becomming an official mirror.  I usually block the
> offending class C via iptables/pf and go from there.  (Flushing blocks
> every 6 months).  Not sure what else can be done to thwart/prevent this
> type of abuse.  Are they intentionally trying to consume $ resources?  A
> misconfiguration somewhere (unlikely)? Any ideas?
>
>
> -Valentino

I have the same problem here, but looks like is a spybot, just like the google 
or altavista uses to search pages. I thing theres nothing we can do, but 
looks like it does not consume a lot of resources, it just search inside 
the .tar.gz for the names of the files

-- 
Atte.
Gabriel Espinosa de los Monteros

Re: Mirrors under attack?

[Valentino D'Ostilio <va...@gdi-tech.com>]

Thorsten Neckel wrote:

> Hello!
> Are (some of) the Apache mirrors under some kind of attack? Currently 
> I have about 1 req. per 30 seconds for httpd-2.0.54.tar.gz. Most of 
> the requests came from 218.103., 218,215.,219.78 and 203,168. Always 
> the same file.
>
> regards
> thorsten
>
Get used to it.  I've experienced this type of activity from various 
sources since becomming an official mirror.  I usually block the 
offending class C via iptables/pf and go from there.  (Flushing blocks 
every 6 months).  Not sure what else can be done to thwart/prevent this 
type of abuse.  Are they intentionally trying to consume $ resources?  A 
misconfiguration somewhere (unlikely)? Any ideas?


-Valentino